Secure Your Network Connection with OpenVPN and Raspberry Pi

Learn how to set up a VPN server on your Raspberry Pi for secure and private internet access. …


Updated October 2, 2023

Stay up to date on the latest trends in AI. Don't be left behind!

Intuit Mailchimp

Learn how to set up a VPN server on your Raspberry Pi for secure and private internet access.

Introduction

OpenVPN is an open-source virtual private network (VPN) software that enables you to create a secure point-to-point or site-to-site connection over the internet. It encrypts all data passing through the VPN tunnel, making it impossible for anyone to intercept your sensitive information. With Raspberry Pi, you can set up an affordable and reliable VPN server at home or work to protect your online activities from prying eyes.

In this article, we will guide you through the process of fresh installing OpenVPN on a Raspberry Pi device running Raspbian OS (Raspberry Pi’s default operating system). We assume that you have a basic knowledge of Linux commands and networking concepts.

Prerequisites

Before starting, make sure your Raspberry Pi is connected to the internet and has an active IP address. You can check this by running ifconfig in the terminal. Also, install the latest version of Raspbian OS on your device if you haven’t already done so.

Step 1: Update and Upgrade Raspbian OS

Before installing OpenVPN, it is important to update and upgrade all packages to ensure compatibility with other dependencies. Run the following commands in the terminal to do this:

sudo apt-get update && sudo apt-get upgrade -y

This will fetch the latest package lists from the repositories and install any available updates for your system.

Step 2: Install OpenVPN

Now, you can proceed with installing OpenVPN on your Raspberry Pi. Run the following command to do this:

sudo apt-get install openvpn -y

This will install the latest version of OpenVPN and all its dependencies.

Step 3: Generate Certificates and Keys

OpenVPN uses digital certificates and keys for authentication between client and server. You can generate these using easy-rsa, a script provided by OpenVPN. First, download the easy-rsa package:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-unix-v3.0.8.tgz
tar xzf EasyRSA-unix-v3.0.8.tgz

Create a new directory for the keys and certificates:

mkdir ~/openvpn-ca
cd ~/openvpn-ca

Copy the sample configuration file to this directory:

cp /usr/share/easy-rsa/* .

Edit the vars file with your preferred text editor, for example, nano:

nano vars

Set the variables as follows:

export EASYRSA_KEY_SIZE=2048
export EASYRSA_CA_EXPIRE=3650
export EASYRSA_CRL_DAYS=3650
export EASYRSA_ALGO=rsa

Save the file and exit. Then, initialize the PKI (Public Key Infrastructure):

source ./vars
./easyrsa init-pki

Generate a Certificate Authority (CA) certificate and key:

./easyrsa build-ca nopass

Create the Diffie-Hellman parameters for added security:

./easyrsa gen-dh

Now, generate a server certificate and key:

./easyrsa build-server-full server nopass

Create a client certificate and key:

./easyrsa build-client-full client1 nopass

Finally, copy the required files to the OpenVPN directory:

cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn

Step 4: Configure OpenVPN Server

Create a new configuration file for the server:

sudo nano /etc/openvpn/server.conf

Add the following content to the file and save it:

port 11943
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

This configuration sets up an OpenVPN server on port 11943, using UDP as the transport protocol, and creates a virtual network with IP addresses in the range of 10.8.0.0/24. Replace 8.8.8.8.8 with your preferred DNS server if you want to use a different one.

Step 5: Create Tunnel Authentication Key

Generate a new key for tunnel authentication:

openvpn --genkey --secret ta.key

Copy the ta.key file to the OpenVPN directory:

cp ta.key /etc/openvpn

Step 6: Start and Enable OpenVPN Server

Start the OpenVPN server with the following command:

sudo systemctl start openvpn@server

Enable it to automatically start at boot:

sudo systemctl enable openvpn@server

Step 7: Configure Firewall Rules (Optional)

To allow traffic through port 11943, you may need to configure firewall rules. First, install ufw if it’s not already installed:

sudo apt-get install ufw -y

Then, enable the firewall and allow OpenVPN traffic:

sudo ufw enable
sudo ufw allow 11943/udp

Step 8: Connect to VPN from Client Device

On your client device, download and install an OpenVPN client compatible with your operating system. Configure the client to connect to your Raspberry Pi’s IP address and port 11943. Use the client certificate (client1.crt) and key (client1.key) generated earlier.

Now, you have successfully set up an OpenVPN server on your Raspberry Pi. All your internet traffic is now securely tunneled through the VPN connection for added privacy and security.

Conclusion

In this article, we learned how to fresh install OpenVPN on a Raspberry Pi device running Raspbian OS. With a few simple steps, you can set up a powerful VPN server that protects your online activities and keeps your data secure from prying eyes. Make sure to update the software regularly and keep your certificates and keys safe for optimal security.